Hacking Fox.

This is just a walk in the park, really. Google's been on their servers before, due to some weird configuration setting. But well, it's nice to look a couple of months later to see what those foxtards actually did to secure it. Nothing right. So this stuff isn't very post worthy and only annoying, but I reckoned it might wake someone up who also serves up 10 year old Perl/CGI files. I mean what is wrong with these people if I can gain access to a huge user database by using my browser? so much for trusting Fox all your personal details! So what I'll do is going through the steps, I won't show the 100K user database because Google already has it. Ask Google, not me. It is probably public domain since 1997.

So, what up with this code?

EOM
 dbmopen (%QUESTDATA, "../../quest", 0644);
 while (($email, $data_str) = each(%QUESTDATA)) {
 @data = split(/\t/,$data_str);
 $l_name = $data[0];
 $f_name = $data[1];
 $m_init = $data[2];
 $case1 = $data[3];
 $case2 = $data[4];
 $case3 = $data[5];
 $case4 = $data[6];
 if ($case3 eq "yes") {

# print "$f_name $m_init $l_name <br> \n";
 $sortednames{$l_name} = "$f_name $m_init";
 }
 }
 foreach $foo (sort keys(%sortednames)) {
 print "$sortednames{$foo} $foo<br> \n";
 }
 dbmclose(%QUESTDATA);
 print <<"EOM";

or:

EOM



######################################################



dbmopen(%PLAYERDB, "players", 0666);



while (($email,$data) = each(%PLAYERDB)) {
 ($name,$t1,$t2,$t3,$t4,$t5,$t6) = split(/\|/,$data);
 if (($t1 eq "1") && ($t2 eq "1") && ($t3 eq "1") && ($t4 eq "1") && ($t5 eq "1") && ($t6 eq "1")) {
 print "<P ALIGN=\"CENTER\"><B><FONT COLOR=\"\#FF9933\" SIZE=\"+1\">$name<\/B><\/FONT><\/P>";
 }

}



dbmclose(%PLAYERDB);



#######################################################



print <<"EOM";

See, they use the function dbmopen and access a database or directory storing user data because NDBM is enabled. Thing is, you can access that db though your browser pretty simple. Just use: dbname.dir and you'll download the whole dir or dbname.pag to download the pagefile. Or even better: dbname.data for a complete database.

dbmopen (%QUESTDATA, "../../quest", 0644);



foxserver/foo/bar/../../quest.dir

foxserver/foo/bar/../../quest.pag

foxserver/foo/bar/../../quest.data



dbmopen(%PLAYERDB, "players", 0666);



foxserver/players.dir

foxserver/players.pag

foxserver/players.data

They have old php3 configurations running, giving me complete PHP code access whenever I want to. A screenie below for proof of a simple PHP injection:

Indeed, top secret eh?

Then I got bored, it's so annoying to stumble upon this.
source: OWASP News